Trusting user installed certificates. Here we see how to bypass a restriction on Android applications targeting API 24 and above, the restriction is a security control added to these Android versions that changes how the systems trust user-installed certificates, meaning that these certificates are no longer trusted by default. You may need to bypass this restriction while trying to intercept the traffic of an Android application.
As clearly stated on the Android documentation, “by default, secure connections (using protocols like TLS and HTTPS) from all apps trust the pre-installed system CAs, and apps targeting Android 6.0 (API level 23) and lower also trust the user-added CA store by default“. Applications targeting API 24 and above do not trust user-installed certificates, this can be a problem if you are trying to intercept the traffic of the application during a penetration testing exercise.
This is used with applications targeting API 24 and above. API 23 and below trust user-installed certificates by default.
For these Android versions (API 24 and above) a network configuration feature was added that lets applications customize their network security settings in a safe, declarative, configuration file without modifying the application code [1]. For instance, the next XML file (network_security_config.xml) configures the application to trust only system certificates (note that this is just a basic configuration, there is a lot of other stuff that you can configure via this way, refer to the Android documentation for details).
Once this file is created, you also need to reference it on the AndroidManifest.xml file, you do this with the android:networkSecurityConfig tag within the application configuration tag, as shown below:
android:networkSecurityConfig="@xml/network_security_config"
With the network configuration shown above, the application is instructed only to trust system certificates and not user-installed certificates. If you are looking to intercept the traffic for said application, even if you install your proxy’s certificate on the Android device you will still not be able to intercept it’s application, then this restriction comes as a problem that needs to be worked around during a pentest.
One way to bypass this restriction is to reverse engineer the application to edit the network configuration file.
Reverse engineering the application
One way yo do this is to reverse engineer the application and edit the network configuration file in order instruct the application to trust user-installed certificates. First let’s pull the applications apk file and reverse it using apktool:
Modifying the application’s network configuration
Now go into the application folder created by apktool and look for the AndroidManifest.xml file, here look for android:networkSecurityConfig within the application tag, here you will find the name and location of the network configuration file, in this case it is located in the xml folder and named as network_security_config:
Navigate to the res/xml folder and open the network_security_config.xml file:
Edit the file to add a new trust anchor, this will instruct the application to trust user-installed certificates, as shown below. Save, exit and and head back to the folder where apktool created the application folder.
Re-building the application
Now that we have edited the network configuration file, we have to re-build the application using apktool (instead of the d parameter we use the b parameter):
Signing the modified application
After building the modified application, a new folder (dist) will be created within the application folder. Now, we need to sign the just re-builded application apk with our development key, this is needed to be able to run the application on any Android device. We do this using jarsigner:
After you enter the key’s password, you will get an output similar to this:
zipaligning the signed application
Once signed, we need to zipalign the apk:
Intercepting the traffic
Once the application is ready, we try to intercept the traffic for the modified application, refer here for more information on how to intercept traffic for an Android application. We set everything up and use mitmproxy to intercept the traffic:
Select one of the requests using the arrow keys and inspect it with an enter:
Conclusion
For Android applications targeting API 24 an above, there is a security restriction which disables the application to trust user-installed certificates by default, one of the ways to work around this restriction during a pentest exercise is to reverse engineer the application and edit the network security configuration file in order to instruct the application to trust these kind of certificates (user-installed).
[1] https://developer.android.com/training/articles/security-config
Recent Comments